An invite to hack voting machines

The top seller of voting machines is inviting hackers to fish around for security vulnerabilities.

The nation’s leading seller of voting machines has finally agreed to play nice with “red teams” — hacking pros who probe for security vulnerabilities.

The Plan:

At the Black Hat security conference on August 6, Election Systems & Software LLC (ES&S) announced that they would work with the security firm Synack to allow “penetration testing” on the latest models of their voting technology.

The two firms will work together to arrange professional hacking attempts on devices like ES&S’s electronic poll book, which officials use to manage voter registration data. Doing so could help ES&S learn about security risks and vulnerabilities, so they can be fixed before criminal hackers exploit them.

They also announced they will crowdsource penetration tests on new products and those still in development, as well as making it easier for hackers to report their findings without risking legal consequences.

“The word’s gonna get out that we are serious about this. Because hackers gonna hack, researchers gonna research.” ES&S’s Chris Wlaschin, vice president of systems security and chief information security officer at ES&S said, reports WIRED.

The Backstory:

Election equipment manufacturers, including ES&S, have been resistant to letting outside professional hackers test their systems.

In the past few years, the Defcon security conference hosted “Voting Village,” where hackers have found vulnerabilities plaguing voting machines in use for decades. But election equipment companies have argued that such scenarios are unrealistic and don’t represent real-world polling situations, where additional protections are in place to make it inconceivable to hack voting equipment. To provide unfettered access for hackers to “look under the hood” is a 180 shift in attitude.

“There’s been a lot of bad blood in the history of this, but I think this is a positive development,” Mark Kuhr, chief technology officer at Synack, told WIRED. “What we’re trying to do is move the ball forward here and get these election technology vendors to work with researchers in a more open fashion and recognize that security researchers at large can add a lot of value to the process of finding vulnerabilities that could be exploited by our adversaries.”

Why This Matters:

An intense election is just months away, and people want assurance that their vote will count. But concerns about election security abound, with some people saying that electronic voting machines are just waiting to be hacked. A Politico survey found that in 14 states, hundreds of counties used paperless voting machines during the last presidential election — most of them plan to do the same this year. So, who ensures that votes are secure?

Some would be surprised by the loosey-goosey regulations.

There are no federal regulations on voting technology vendors, only state regulations. When it comes to requiring vendors to show cybersecurity plans or adhere to security standards, the states hold all the power. The voluntary standards created by the National Institute of Standards and Technology and the Election Assistance Commission aren’t required unless states choose to adopt them.

The Center for American Progress published a report on election security in 2018, which concluded that all states “have taken at least some steps to provide security in their election administration.” However, CAP deemed 33 states to have unsatisfactory post-election audit procedures, while 10 states do not provide cybersecurity training to officials, and 32 states allow regular absentee voters to cast their ballots electronically — a practice considered insecure by security experts. In other words: vulnerabilities exist that leave some votes susceptible to hacking.

ES&S isn’t the only company taking steps toward adding third-party investigations. Dominion Voting Systems Corp., the second-largest vendor, is also writing a “vulnerability disclosure” policy, Kay Stimson, a spokeswoman for the company told the Wall Street Journal. And Hart InterCivic Inc. also said they are expanding vulnerability testing and working with DHS.

This year over half of the voters in the U.S. will cast their ballot on one of ES&S’s voting machines. Because they are the top U.S. manufacturer of voting equipment, they also influence industry standards — which has traditionally been resistant to providing open access to hackers who fish around for bugs. This collaboration could mark a significant shift in the industry toward adopting more security research.

“It is quite a change,” Wlaschin told WIRED. “Given the times that we’re in and the focus on election security, ES&S has for some time been trying to work with security researchers to, number one, improve the security of our equipment and software and, number two, to improve the perception of election security.”

Related
GitHub CEO says Copilot will write 80% of code “sooner than later”
GitHub CEO Thomas Dohmke goes in depth to answer questions about how AI-powered development will change the future of innovation itself.
No, AI probably won’t kill us all – and there’s more to this fear campaign than meets the eye
A dose of scepticism is warranted when considering the AI doomsayer narrative — there are commercial incentives to manufacture fear of AI.
To fear AI is to fear Newton and Einstein. There are no “dragons” here. 
Who’s afraid of utopia? AI doubters have cold feet. History can warm them.
What is an AI black box? A computer scientist explains
AI black boxes refer to AI systems with internal workings that are invisible to us. What are the implications of working without transparency?
4 dangers of artificial intelligence—and why they won’t end the world
AI doomsday fears are vague. This framework for the future of AI offers concrete solutions.
Up Next
Quantum Hacking
Exit mobile version